Small Business

I operate a small business. How do I know if I am covered by the Privacy Act?

Generally speaking, most small businesses will not have to comply with the Privacy Act 1988 (Privacy Act). However there are exceptions. A small business with an annual turnover of $3 million or less will have to comply with the Privacy Act if it is:

  • a health service provider
  • trading in personal information (e.g. buying or selling a mailing list)
  • a contractor that provides services under a Commonwealth contract
  • a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)
  • an operator of a residential tenancy database
  • a credit reporting body
  • employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009
  • businesses that conduct protection action ballots
  • businesses that are related to a business that is covered by the Privacy Act
  • businesses prescribed by the Privacy Regulation 2013. or
  • businesses that have opted in to be covered by the Privacy Act.

If your business has an annual turnover of $3 million dollars or less and meets one of the criteria above, the Privacy Act will apply to your business or some aspects of it.

To check whether you need to comply, you can seek advice from us. The precise definition of an exempt small business is set out in section 6D of the Privacy Act.

If your small business is covered by the Privacy Act you will have to comply with the Australian Privacy Principles.

What does ‘trading in personal information’ mean?

A business is ‘trading’ in personal information if it collects from or discloses to someone else, an individual’s personal information for a benefit, service or advantage. A benefit, service or advantage can be any kind of financial payment, concession, subsidy or some other advantage or service.

Trading in personal information generally means buying, selling or bartering personal information. For example, buying a mailing list without first getting the consent of all the individuals on that list, or disclosing customer details to someone else for some commercial gain.

A business is not trading in personal information if it gives or receives personal information for a benefit, service or advantage and it:

  • has the consent of all the individuals concerned; or
  • only does so when authorised or required by law.

If you trade in personal information you will have to comply with the Australian Privacy Principles in the Privacy Act. Complying with the Privacy Act does not prevent you from collecting personal information for your business needs, but it does mean you must follow the rules about how to handle that information.

What does it mean to get the consent of an individual?

If a business is buying or selling personal information and does not want to be subject to the Privacy Act, it will need the consent of every individual concerned before the sale is completed.

Adapted from the OAIC website, used under Creative Commons Attribution 3.0 Australia licence.